OneTrust Cookies

This first-party cookie fires on a website when the OneTrust Banner CDN is deployed on that site. The consent status of a visitor is indicated using the first party OptanonConsent cookie.

When test scripts are placed on any site, the OptanonConsent cookie is dropped on the browser and is written to the domain where scripts are placed, not necessarily the domain for which the script was generated.

Example Scenario

The website onetrust.com is scanned in the OneTrust tool. The test scripts for onetrust.com are placed on a different website, onetoso.com. Notice that when test scripts are leveraged, the cookie is written to the domain where it is deployed, in this scenario it is onetoso.com.

Below, the Network tab shows that the domain scanned in the tool is onetrust.com and the ScriptType utilized on the page https:onetoso.com/domain1.html is TEST.

When production scripts are placed on a site, the OptanonConsent cookie is dropped on the browser and is written to the domain for which the script is specific to. In this scenario, if the domain scanned is onetrust.com and production scripts are placed on the live website (www.onetrust.com) and/or its sub-domains, the cookie is written to the root domain (.onetrust.com).

The below network call [data domain script].json provides information in detail.

Every domain scanned in the OneTrust tool will have a unique data-domain-script ID associated. The network call [data domain script].json will be generated with that data-domain-script ID associated with the scanned domain.

The value of the OptanonConsent cookie can be decoded within the Developer Tools section of your browser by checking the Show URL decoded box for a cookie value.

Decoded Example Cookie

isGpcEnabled=0&datestamp=Mon+Mar+27+2023+22:48:10+GMT-0400+(Eastern+Daylight+Time)&version=202303.1.0&browserGpcFlag=0&isIABGlobal=false&hosts=&consentId=6fcfe4fe-8de9-4101-bdf9-5dad0faf2611&interactionCount=0&landingPath=https://onetoso.com/domain1.html&GPPCookiesCount=1&groups=C0001:1,C0003:1,SSPD_BG:1,C0004:1,C0002:1&geolocation=US;MI&AwaitingReconsent=true

When consent is given or a necessary user interaction is performed per configuration, the script sets a first party cookie called OptanonAlertBoxClosed.

User Interactions on the Banner and Preference Center

This cookie is used to determine if a visitor should be shown the Banner. It is persistent and has a default lifespan of one year.

When OptanonAlertBoxClosed is dropped on a browser, it indicates an interaction from the user and that the banner will not be shown until the expiration of the cookie.

For example:

Once the OptanonAlertBoxClosed cookie expires and the value of OptanonConsent is reset completely to the default preferences, surfacing the Banner again for the user to interact:

Scenario 1

Show Banner is disabled in the geolocation rule, and the Preference Center is surfaced via footer link:

Scenario 2

Show Banner is enabled in the geolocation rule.

Used to store IAB TCF v2 preferences if the consent policy setting Set Global EU Consent is enabled in Geolocation Rules.

Used to store IAB TCF v2 preferences. Because the IAB global scope is deprecated, Set Global EU Consent has been disabled. This will be a first party cookie and the OptanonConsent cookie’s isIABGlobal value will be set to false. The cookie’s lifespan is one year by default.

The cookie value is an encoded consent string that vendors registered with the IAB framework can read to determine users’ consent. The size of this string can impact performance on your site if it gets too large, so it is recommended that you only enable ad tech vendors that you’re working with in your IAB Vendor List.

For more information on managing your IAB Global Vendor List, see Managing the IAB TCF Global Vendor List.

For more information on eupubconsent-v2, see IAB TCF 2.0 Consent String.

The string containing the vendors can be decoded using tools such as an IAB Decoder .

This cookie drops on the browser when Google Additional Consent mode is enabled within a template. For more information, see Using Google Additional Consent.

The additional consent (AC) string is stored in this first party cookie. The AC String is comprised of the following:

The expiration of the cookie is the same as the OneTrust cookies and also depends on the re-consent frequency defined in the associated geolocation rule.

For example, the AC string "1~1.35.41.101" means that the site visitor has consented to Google ATP Vendors with IDs 1, 35, 41 and 101, and the string is created using the format defined in the v1.0 specification

The cookie is set based on user consent from the otCCPAiab.js. This cookie has a value of true or false, based on if the user opts in or out of the otCCPAiab associated category.

This cookie is only set when the script src is the Google Ad Manager URL, which is the default script for IAB CCPA implementation. More information is available here.

For more information, see IAB CCPA: Configuring the US Privacy String with Cookie Consent.

This cookie is dropped when the GPP (Global Privacy Platform) feature is configured for a template within its geolocation rule group.

The GPP feature is available from version 202302.1.0 and onwards. The OTGPPConsent cookie is dropped when test/production scripts are published with version 202302.1.0 and onwards.

The value of OTGPPConsent can be decoded using tool such as an IAB GPP decoder.

For more information, see Configuring the Global Privacy Platform Settings and Global Privacy Platform: Detailed Overview.

This cookie isn’t written by OneTrust, but it is included with our script. Description from Cookiepedia:

Cookie associated with sites using CloudFlare, used to speed up page load times. According to CloudFlare it is used to override any security restrictions based on the IP address the visitor is coming from. It does not contain any user identification information.